Mobile device management has become alphabet soup

The BYOD movement, once looked on as the holy grail of employee satisfaction and IT mobile device security, is increasingly being supplanted by a number of options – such as COBO, CYOD, COPE – that draw a thicker line between personal and business uses.

Mobile device management

Get a job and a company-issued cellphone and computer in exchange? Stop living in the past, man. Companies don’t necessarily operate this way anymore, especially as our work and personal lives become more and more intertwined.

But BYOD isn't the only acronym in the game, especially since employees are pushing back. According to a recent survey conducted by Bitglass, 57 percent of employees – and 38 percent of IT professionals – do not participate in their company's BYOD program because they don't want employers to have visibility into their personal data and applications.

Plus, being able to wipe an employee's phone doesn't always keep your company's data safe. Not only can a good hacker prevent wiping a phone by putting it into airplane mode, but your employee might not even report the device is missing. A 2014 survey conducted by ZixCorp found that while 59 percent of employees would immediately report a lost device to an employer if the employer had the capability to wipe the phone, 12 percent would wait a few days, 3 percent would wait a week and 5 percent would wait over a week. That's a long time for your corporate information to be floating out in nefarious hands.

Here are a few alternatives.

COBO

Corporate-Owned, Business Only is the model that most companies have used in the past: We give you a device, but we tell you to not do anything personal with it.

Almost from the start, says Nigel Johnson, vice president at ZixCorp that's never been reality. As soon as he got his first work email address, which was supposed to be used for internal communication, he broke that rule.

"C'mon," he says. "The second I could communicate with my wife externally, I was communicating with my wife externally."

No matter how many rules or safeguards you try to put up, employees will use those company devices for personal use, which could open up the business part of the device to attacks.

CYOD

Choose Your Own Device is almost like BYOD except that instead of an employee bringing in a device to use for work, he or she can chose from a range of options approved by the company – and the device is usually owned and maintained by the company.

CYOD can work because it gives employees more flexibility in how they work in to be most comfortable and productive (think of the millennial who's always worked on Apple products and wouldn't want to switch to a PC) while also giving the employer control of those devices. CYOD doesn't mean that employees can chose whatever they want, either. That would drive your IT department to the brink. The best policies, according to Insight, give employees options through a range of approved devices from a list of approved configurations.

COPE

And that's where Corporate-Owned, Personal Use comes in. That's a policy that lets employees do personal stuff on the devices you supply to them.

What matters more than who's supplying the device, says Domingo Guerra, co-founder of Appthority, is who has the right to control what goes on the device -- like public apps, which can create security problems that wouldn't be issues on a completely personal device.

"It used to be that the company was the gatekeeper as to what software came into the enterprise," he says. "As users we didn't have admin rights."

Some apps that employees will want to put onto a phone -- ones that seem safe -- will create issues for a company, especially one that deals with compliance issues. Apps that read the phone's address book and stores files directly in secure public clouds are going to be a problem.

A solution – for COPE and BYOD – is for a company to identify apps that present risk rather than keeping a manual list of apps that are OK (that would be a herculean task, says Guerra). Companies can also identify a range of third part apps in specific areas where employees are already looking, like productivity, expense reports and note taking, and then present that list to employees. Not only does that save employees time in trying to find the right tool, but it also lets the company keep data safe.

"We don't have to be afraid of the apps out there," Guerra says. The question instead is "how can we enable a safe environment?"

The hybrid approach

This is what Johnson says will be the future: not quite BYOD, not quite COBO, not quite COPE, but a mix that will work per employer and sometimes per employee.

"A majority of employees want to use one device and carry one device wherever they go," he says. For those employees, a company can "install a solution that keeps data off a device and allows them to have a clean separation between their data and company data."

That won't work for everyone, especially those who travel and need full access to company data in order to their jobs. One example: a controller who "is on the road and needs access to financial systems," he says.

That employee will need a COBO device, but also may have a solution added to a personal phone so that a company can still call outside of work hours. That personal phone may also have a solution added to it that allows the employee to look at email and a calendar without having to pull out the work phone.

He predicts that most employees will eventually shift to BYOD, as long as they know that their personal information is safe and separate. "You bring your phone, we pay you a small stipend, and you just need to run this little app," he says. As long as that app protects the company's data, and also insulates the employee's privacy, BYOD isn't going away. It just may have some acronym company for a while.

This story, "Mobile device management has become alphabet soup" was originally published by
CIO.